Microsoft’s Office has an unpatched bug; can lead to data exposure, warns the Windows-maker
Microsoft disclosed an unpatched zero-day in Office that could be used by threat actors to access sensitive information. The vulnerability in Office has been described as a spoofing flaw that makes use of social engineering to lure users to click on maliciously crafted links.
Attackers could host a website, or use compromised websites, to target users. Links to these maliciously crafted websites are then sent to the targeted users either through email or a message on the Messenger app. Users are lured into clicking on the link, which delivers a file on their systems specifically designed to exploit the vulnerability.
Microsoft is expected to release a formal patch for the vulnerability as soon as 13 August, in the meantime, the Windows-maker has enabled an alternative fix.
The disclosure comes even as Microsoft says it is working on addressing two zero-day flaws that could be exploited to “unpatch” up-to-date Windows systems, opening them up to attacks leveraging older vulnerabilities.